CD113: CISA is Law

Cybersecurity or surveillance? What does the language attached at the last minute to the 2,009 page omnibus government funding bill actually authorize? In this episode, we take a close look at what just became law.

The Cybersecurity Act of 2015 was attached at the last minute to the "omnibus" government funding bill, which was 2,009 pages long and available to read for less than three days before it became law. This is and outline of what became law:

"Agency": "Any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of Government"

Does NOT include the Government Accountability Office, Federal Election Commission, or Government-owned contractor-operated facilities

"Cybersecurity threat": An action that "may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system".

Non-Federal entities sharing information mush "review" the information for "personal information of a specific individual" and "remove such information" OR have a technical way of removing the information it "knows at the time of sharing" to be personal information.

"Engaging with international partners… to collaborate on cyber threat indicators, defensive measures, and information related to cybersecurity risks and incidents"

"Sharing cyber threat indicators, defensive measures, and other information related to cybersecurity risks and incidents with Federal and non-Federal entities… and with State and major urban area fusion centers"

Subtitle B: Federal Cybersecurity Enhancement Act of 2015

Requires the Secretary of Homeland Security and the Director of the Office of Management and Budget to develop a plan to proactively detect, identify, and remove intruders in agency information systems.

The plan will not apply to the Department of Defense, a "national security system" or an element of the intelligence community

The Secretary of State must consult with government officials in countries where we don't have an extradition treaty to determine what actions they've taken to catch "cyber criminals" with arrest warrant issued by US judges or Interpol.